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Abstract. We present an algorithm that unconditionally computes a repre- 
sentation of the unit group of a number field of discriminant Aj{, given a 
full-rank subgroup as input, in asymptotically fewer bit operations than the 
baby-step giant-step algorithm. If the input is assumed to represent the full 
unit group, for example, under the assumption of the Generalized Riemann 
Hypothesis, then our algorithm can unconditionally certify its correctness in 
expected time 0(A™ /(4n+2)+e ) = 0(A^ 4_1/(aB+4)+e ) where n is the unit 
rank. 

1. Introduction 

Let K be an algebraic number field of discriminant Ak ■ One of the main com- 
putational problems in algebraic number theory is to compute a representation of 
the group of units of the corresponding maximal order Ok- The units are of inter- 
est in a number of contexts. As an example, it is well-known that computing the 
fundamental unit of a real quadratic field is equivalent to solving the Pell equation 
x 2 - Dy 2 = 1. 

In general, the unit group consists of a finite torsion subgroup and an infinite part 
of rank n, where n is called the unit rank. A generating system of the infinite part is 
called a system of fundamental units. The torsion subgroup is an easily-computed 
group of roots of unity, so computing the unit group means determining a system 
of fundamental units. Instead of directly computing the units themselves, many 
algorithms compute a basis of the corresponding logarithm lattice Ak, a rank n 
lattice in R™ derived from the Archimedean absolute values of K. The fundamental 
units can be recovered from a basis of Ak (see, for example, [Thi95] ). 

The fastest algorithms for unconditionally computing a system of fundamental 
units, meaning that they generate the entire unit group without having to rely on 
any unproved assumptions or heuristics, are of exponential complexity in the bit 
length of the field discriminant. The current state-of-the-art is due to Buchmann 
|Buc87cj . whose algorithm computes a basis of the logarithm lattice in 0(A^ 4+e ) 
bit operation^- However, if one is willing to assume the truth of the Generalized 
Riemann Hypothesis (GRH), then Buchmann's index-calculus algorithm |Buc90] 
can be used. This algorithm has subexponential complexity in log Ak assuming 
the GRH, but unfortunately the correctness of the output also depends on the 
GRH. 
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^Throughout this paper, the O-constants are assumed to be dependent on the degree [K : Q] 
of K. Furthermore, to simplify notation, expressions involving Ax should be assumed to operate 
on |A K |- 
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The motivating question for the work in this paper is whether it is possible to 
certify that the logarithm lattice of a unit group produced by the index-calculus 
algorithm is unconditionally correct in asymptotically fewer than 0(A^ 4+e ) bit 
operations. More generally, given a full rank sublattice A' of the logarithm lattice 
corresponding to the unit group of a number field K, is it possible to compute the 
full logarithm lattice in fewer than 0((det A') 1 / 2+e A e K ) bit operations, i.e., faster 
than using baby-step giant-step? 

These questions were answered affirmatively for the case of real quadratic fields 
in |dHJW07] . The unit group of a real quadratic field of discriminant A has rank 
one, generated by a single fundamental unit ea > 1< The corresponding lattice 
of logarithms is generated by a single real number, the regulator Ra = log£A- In 
dHJW07 , it is proved that an unconditionally correct approximation of Ra can 
be computed in time 0(S 1 ^ 3 A e ) given an integer multiple S of Ra- Furthermore, if 
it is assumed that S is the output of the index-calculus algorithm, then, assuming 
the GRH, S is the regulator and hence of size 0(A 1 / 2+e ). The end result is an 
algorithm that unconditionally computes the regulator in expected time 0(A 1 / 6+e ) 
assuming the GRH. This algorithm was shown to work very well in practice, as 
demonstrated by the computation of the regulator of a real quadratic field with 
65-decimal digit discriminant, the largest such result to-date. 

In this paper, we generalize this result to computing a basis of the logarithm 
lattice corresponding to the unit group of an algebraic number field K with arbitrary 
unit rank, given a full rank sublattice A' as input. In particular, we describe an 
algorithm that solves this problem in 0((det A')"/( 2n+1 ) +e A^) bit operations. For 
unit rank one fields we recover the same complexity as dHJW07 , and the algorithm 
is asymptotically faster than 0((det A') 1 / 2+e A K ) for all n. When A' is computed 
using the index-calculus algorithm, we have, similar to the quadratic case, that 
it is in fact the full logarithm lattice under the assumption of the GRH. Thus, we 
obtain an algorithm for computing the logarithm lattice unconditionally in expected 

0(A „/(4„+2)+ e) operations 

assuming the GRH. Our algorithm is asymptotically 
faster than 0(A 1 J- 4+e ) for all n, but the greatest improvements occur for small n. 
For example, for fields of unit rank one we obtain 0(A^ 6+e ), the same complexity 
as }dHJW07] in the real quadratic case, and for unit rank two we obtain 0(A^ /5+e ). 

The paper is organized as follows. Following a presentation of the required 
notation and background in Section [21 we give an overview of the algorithm in 
Section [31 The theory behind the algorithm is described in detail in Section [H and 
two important subroutines are described in Section [5] The algorithm itself and a 
proof of its complexity are given in Section [6l and we finish with some concluding 
remarks. 



2. Notation and Background 

All required information on number fields can be found in |Neu99] . References 
are provided for results not appearing in this source. 

Let if be a number field, i.e. a finite extension of Q. Denote the integral closure 
of Z in K by Ok- This is a Dedekind domain. Let 1*^, . . . , |»| n+1 be all n + 1 
Archimedean absolute values of K; these correspond to embeddings <x; : K — > C up 
to complex conjugation by \ — |e>j(/)|, / e K, 1 < i < n + 1. Let deg := 1 if 
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<Ji(K) C M, and degl*^ := 2 otherwise. Consider the map 

IT, /^(log|/| 1 ,...,log|/|J. 

The image of the unit group 0* K is a lattice of rank n, denoted by Ak '■— ^(0* K ). 
The kernel of ^\o' K ■ 0* K — > Ak is the group of roots of unity in AT, hk, and we 
have that 0* K = \j,k x Ak — x Z™, where the number n is called the unit rank 
of If. Thus, every unit in 0* K can be written as C^i 1 ■ ■ • £«" , where £ G and 
ei, . . . ,e„ are a system of fundamental units of 0^ . The regulator Rk of if equals 
detAK-rnUdegH*- 

One can recover a unit e from its image ^(e) up to a root of unity. If one 
sets U := log|e|,-, 1 < i < n and t n+1 := -g^j — - Y%=1 *i de § l*li> one nas that 
U {0} = {/ G Ok I logl/l; < U for 1 < i < n + 1}. Thus, computing a 
basis of A^- allows us to recover a system of fundamental units, thereby completely 
determining the unit group of Ok- 

Another important invariant of K is the discriminant Ak] it is defined as follows. 
The ring Ok is a free Z- module of rank d = [K : Q] ; let v\, . . . ,Vd 6 Ok be a 
Z-basis of Ok- Moreover, as K/Q is separable, one has d distinct embeddings 
(Ji, ... , cr n +i, <7„+2, • • • , o"d : AT — > C. The discriminant Ajf is defined as det(A) 2 , 
where A — (<Ti(wj))i<ij<(i G C nx "; it can be shown that G Z \ {0}, with 
Ak ^ ±1 for K Q. In order to simplify the notation, Ak should be understood 
to be in absolute value when required in arithmetic expressions and complexity 
statements. 

Let g : M t+1 — > M>o be a function and x±,...,Xt be parameters which can 
depend on the number field AT; examples are A^-, Rk and n. We say that 
a quantity f{x\, . . . , Xt) is in 0(g(xi, . . . , x n , e)), if there exist a family of con- 
stants C[K:Q],e > 0, only depending on [AT : Q] and e, such that for all e > and all 
number fields AT, f(xi(K), . . .,x n (K)) < C[ K :Q},e ' 3(^1 (-A) ; • • . ,x„(AT),e) for suffi- 
ciently large xi(AT), . . . , ir n (AT). In that case, we write / = 0(g(xi, . . . , x n , e)). This 
simply means that the O-constant depends only on the extension degree [AT : Q], 
and not on any other information of AT or any other parameter. 

In the following, we will use that R K = 0(A){ 2+e ) by a result of Sands |San91j . 
as well as that detAif = Rk/ 11™= 1 deg \*\i can be bounded from below only in 
terms of [AT : Q] by a result of Remak [Rem32j . The latter means that for any 
sublattice A' C A K , we have [A^ : A'] = detA'/detA^ = O(detA'). Moreover, 
we will use that arithmetic in K can be done in 0(A K ) bit operations; see, for 
example, Buc87a, Buc87c . 

Finally, for v € M n and M C E, we set Mv := {vm \ m G M}, and for 
subsets M',M" C E n , we set M' + M" := {m! + m" \ m! G M',m" G M"}. We 
equip W 1 with the Euclidean norm, denoted by ||»||, as well as with the Lebesgue 
measure, denoted by vol. 

3. Overview of the Algorithm 

Our algorithm will, given a sublattice A' C Ak of full rank n, compute Ak in 
0((det A')^ +e A K ) bit operations, using 0((det A') 2 ™+ 1 A e K ) bits of storage. 

The idea can be sketched as follows. Since A' is of full rank, the quotient 
group Ak/A' is finite. Denote its order by i\>. Now we do not know Ak or 
«A' i but there is an effective test whether a prime p divides the index i\< based on 
the following proposition, which we will prove in Section 01 
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Proposition 1. Assume that A' = 5Z i=1 TLvi for a basis (vi, . . . ,v n ) of M" . ^4 
prime p divides i\' if and only if there is an element of Ak in 

ai,...,Ofc_i e{0,...,p- 1} j. 

J/ suc/i an element v exists, set A" := A' + Zu. TTws is a sublattice of Ak with 
=[A K :A"] = i -f. □ 

The search set in the proposition is shown in Figure Hal If we would have a 
finite set of candidates for prime divisors of we could iterate through the set 
of candidates and use the proposition to determine the prime divisors of i\t, their 
multiplicities and, most importantly, Ak itself. Unfortunately, as i\> = C(det A'), 
this method would in general be slower than baby-step giant-step. 

Alternatively, one could simply search a fundamental parallelepiped of A', such as 
Sr=i[0' for elements of Ak. Using Buchmann's baby-step giant-step method 
for number fields as presented in |Buc87cj . this can be done in 0((det A') 1 / 2 A^-) bit 
operations. But instead, one could also directly apply Buchmann's method to 
compute a basis for Ak and compare it to A'; if i\> ^> 1, this would actually be 
faster. 

The idea of our algorithm is to combine both approaches. First, we test all 
primes p below a bound B using an algorithm based on Proposition [TJ After that, 
we use Buchmann's algorithm to search a small subset of the fundamental paral- 
lelepiped for elements of A^- Note that the set of elements we have to search for 
PropositionQ]lies in a small subset of the fundamental parallelepiped, as illustrated 
in Figure [Ta] More precisely, if A' = Y^7=i as m the proposition, the search set 
for a prime p lies in 

n-l 

V P :=5>,l]«i+[0,iK. 



U \ ~ Vi + ~ vk 




Figure 1 . Overview of the Algorithm 
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Moreover, if q > p, then V q C V p . Therefore, if we use the method from Proposi- 
tion [1] for all primes < B, then it suffices to search the set Vb using Buchmann's 
method, as illustrated in Figure [Tb] Finding an optimal value of B that minimizes 
the total running time of the two parts of the algorithm gives us the results. 

Note that we ignore all approximation issues in this algorithm, and refer to the 
discussion in Sections 13 and 16 of Buc87c . 

4. Lattice Maximization 

Lattice maximization refers to the process described in the previous section, 
proving that A' = Ak or finding a sublattice A" with A' c A" C Ak- In this 
section, we describe in more detail the lattice maximization algorithm outlined in 
the previous section, and prove the results required to establish its correctness and 
complexity. 

We begin with a lemma which allows us to determine whether an integer is 
coprime to the index «a'- 

Lemma 1. An integer t > has a non-trivial common divisor with i\* if, and only 
if, A' C lA' n Ak- Moreover, any element v £ (jA' fl Ak) \ A' gives rise to a 
sublattice A" := A' + Zv ^ A' with A" C A K , and [A" : A'] is a divisor oft. 

Proof. First, assume that d = gcd(t, i\>) > 1. Let p be a prime dividing d. Then 
there exists an element v £ A K \ A' with pv £ A'. But then, v £ (A K n ^A') \ A' C 
(A K n fA') \ A'. 

On the contrary, assume that there exists some v £ (Ak H jA') \ A'. Then 
tv £ A', whence the order of v in A'/^A' is a non-trivial divisor of t. But since the 
order divides |A'/iA'| = i^, we see that gcd(f,«A<) > 1. 

For any v £ (~A' H A K ) \ A', we have A" := A' + Zv C A K and A' C A", and 
since tv £ A' we see that A" / A' = (v + A')Z is cyclic of order dividing t. □ □ 

Note that we have a tower of subgroups A' C iA' n Ak Q \A' . The lemma 
says that gcA(t,i^>) > 1 if, and only if, (jA' n Ak)/ A 1 is not the trivial subgroup 
of jA'/A'. Hence, if we let p be a prime divisor of za', we can replace A' by a 
sublattice A" with i^> — ^ by searching a set of representatives of A'/|A'. But 
this can be done more efficiently, as hinted in Proposition [TJ This is provided by 
the following result; note that \A'/A' S (Z/tZ) n . 

Proposition 2. Let G be a finite group, and let H C G be a subgroup. Let S be 
the set of all cyclic subgroups of prime order of G, and let S C G such that for 
every U £ S, there exists a unique element g £ S with U = (g) . 

(a) The subgroup H of G is trivial if, and only if, S n H = 0. 

(b) If G = (Z/pZ) m for a prime p and m £ N. we can choose the set S to be a 
subset of 

{( ai ,...,a m )+pZ m | (ai,...,a m ) £ {0, . . . ,p - l} m , a m < 1}. 

Proof. 

(a) The neutral element e generates the trivial subgroup of G. Hence, if H = {e}, 
then H n S = 0. Conversely, assume that \H\ > 1. Then there exists an 
element g £ H of prime order, and (g) is a non-trivial cyclic subgroup of prime 
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order of G. Hence, (g) € S, and there exists some g £ S with (g) = (g). In 
particular, g £ (g) C iJ, whence 5 n H ^ 0. 
(b) Let u = («i,..., w m )+pZ m G G. If p | w m , set A := 1. Otherwise, let A G N such 
that Xv m = 1 (mod p). Set Wj := Avi modp; then ^ G {0, . . . ,p — 1} and v m £ 
{0,1}, and we have (v\, . . . , u m ) +p7 t m = Xv and A+pZ G (Z/pZ)*. Since pG = 
{(0, . . . , 0)+Z m }, we see that every non-trivial cyclic subgroup of G is of order p, 
and the previous discussion shows that every such subgroup is generated by at 
least one element in the set from the statement of the lemma. □ 

□ 

In fact, we can also write down a minimal such set S for (Z/pZ) m directly as 

s={(v 1 ,...,v i ,i ) o„..,o) + pz- \^ {0 ;; v :^ 1} > p _ lh 

This shows that |S| = 1 + p + p 2 + ■ ■ ■ + = p p S± ■ F° r our algorithm, we can 

restrict to a subset of p m_1 elements, since we also search the volume 

n-l 

V :=Y,[0A]vi + [0,i]v n , 
t=i 

where the Vi are a basis of K". Then we only need the elements of the form 

(«!,..., W m _l,l)+pZ m . 

These two results imply Proposition [T] Moreover, we combine them as sketched 
in Section |3] to obtain our algorithm. The following corollary presents the preceding 
material in a way which leads directly to the algorithm and its correctness. It is 
also helpful to compare it with the sketch in Figure llbl 

Corollary 1. Assume that A' = ' an< ^ let B > be arbitrary. Let 

Pi, . . . ,p t be all primes < B. For i £ {1, . . . , t}, set 

Si := {j-(aivi H h a„_ii>„_i + v n ) | a x , . . . ,a„_i G {0, . . . ,p t - 1}}. 

Moreover, define the volume 

n-l 

V B :=^[0,1K+[0,IK. 

i=l 

Then Kk = A' if, and only if, Axn(ysUlj'_ 1 Si) — {0}. Otherwise, any non-trivial 
element v of A K n (V B U 1J* =1 Si) gives a lattice A" := A' + Zv with A' g A" C A K . 
Moreover, voI(Vb) = jdetA', i = 0(e§b) a«d Ei=i|$| = 0{B n /\ogB). 

Proof. Clearly 

VauU^JnAjf = {o}. 

Now assume that A' £ A. Let p be a prime dividing i&i and dehne 

oil/ s i G |0, . . . , n — 1), 

S:=(?(«i«i + "- + <™+«<+i) o 1) ... J a i G{0 J ...,p-l} 

by Proposition [2 S must contain a non-trivial element of Kk- In case p > B, we 
have 5 C Vb', and in case p < B, say p = pi, we have S 1 C Si U Vb. 
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Now voI(Vb) = ^vol(5]" =1 [0,l)ui) = -|detA'. Moreover, by the Prime Num- 
ber Theorem, t = 0{-^). Finally, \S t \ = p™" 1 < B n ~ l , whence E*=i|<%| < 

w-^oiTgg). ~ a a 

Wc have seen how the idea sketched in the last section can be made rigorous. It 
translates in a straightforward manner into an algorithm, as we will see in Section[6] 
The only missing pieces are how to search for elements in V PI , and how to test 
whether some v £ M" lies in . We will investigate this in the next section. 

5. Baby-Step Giant-Step Search and Existence Testing 

We will now investigate how to search for elements of Ak in the set V = 
J^™ =1 [0, l]vi, where V\,...,v n is a basis of M". We assume that this basis is 
mostly orthogonal, i.e. \det(vi, . . . ,v n )\~ YG=i\\ v i\\ = ^(1). This means that 
vo\(V) — 0(n™ = i \\ v i\\)- The algorithm requires Ofto^V) 1 / 2 A e K ) bit operations 
and was first described by Buchmann in |Buc87cj . We will also describe how to 
test whether an element v £ M. n lies in A^ . 

For describing these algorithms, we need fractional ideals and the notion of 
minima of these. A fractional ideal is a finitely generated 0^-submodule of K; it 
is always of the form j a, where a is an (integral) ideal of Ok in the usual sense and 
/ £ Ok \ {0}. As Ok is a Dedekind domain, the nonzero fractional ideals form a 
free abelian group Id(A") generated by the prime ideals of Ok- 

To define a minimum of an ideal, we use methods from Minkowski's geometry 
of numbers. Set Wi ■= M if deg \»\ { = 1 and Wi :~ C otherwise. Then 

$ : K W K := [] W u f H- fa (/),... , a n+1 (f)) 

i=l 

is injective and maps every fractional ideal a £ ld(K) onto a lattice in the [K : Q]- 
dimensional real vector space Wk — K®qR. For o £ ld(K) and ti, . . . , t n +i £ K>o, 
define 

B(o,ti,...,t n +i):={/eo| \f\i<U}. 
Then (f> identifies B(a, t\, . . . , t n+ i) with the finite set of elements in $(a) which lie 
in the bounded area {(v\, . . . ,v n +i) £ Wk \ \vi\ < U}. For convenience, define 

5(0, /, /') := B^wbxMv l/'IJ, . • . ,max{|/|„ +1 , |/'|„ + J) 

and 

B(a,f) :=B( a ,f,f) = B(a,\f\ 1 ,...,\f\ n+ x) 

for /, /' £ K* . Using this notation, we have that B{Ok,s) = {0} U hk£ if £ £ 0* K . 

Let a £ ld(K). We say that fi £ a is a minimum of o if / £ B(a, /i) \ {0} implies 
|/|. = \fi\- for some i. Denote the set of all minima of a by £ (a). We say that a is 
reduced if 1 G £ (a). Note that Ok itself is reduced. 

The set ^f(£(a)) is distributed rather uniformly in M"; here, ^ is as defined in 
Section [5J More precisely, Buchmann showed the following. 

Proposition 3 f |Buc87bl IBuc87cj ). Let V = Y^i=x[ a i^i\ v ii where fa, . . . ,v n ) is 
a basis of M™ and a% < bi. 

(a) Assuming that the Vi 's are mostly orthogonal, the set ^(£(aj) D V contains 
0(vol(y)) elements. 
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(b) If V contains a sphere of radius i-^/nlogA^, V C\ >J>(£ (a)) 7^ 0. 

Note that f\x £ £{fa) for / £ i-T* and fi £ £(<*)) and moreover that 1 € £ (Ok )■ 
This implies that 0^ operates on £ (a) and that 0* K C £(Ok)- It turns out that 
£(a)/C^- is finite and contains O(Rk) elements |Buc87b[ Theorem 2.1]. Moreover, 
note that the map £(a)/0* K -> Id(K), [iO* K i-> is a bijection between £(a)/0^ ( 
and the set of reduced ideals equivalent to a. Denote this set of ideals by Red(a). 
This allows one to represent an element /j, of £ (a) up to a root of unity by the pair 
(-a, (/«))• In practice, one stores together with an approximation of ^(n). 

The set of minima of an ideal modulo units is known as the infrastructure of that 
ideal. More precisely, consider the map together with the lattice Ak = ^(0* K ); 
the map d a : £(a)/0* K -> R n /A K , fi ^ + A K , respectively d a : Red(a) -> 

M. n / Ak, j^a n- ^(11) + Ak, is called the distance map. 

We now discuss on how to search for all minima /i £ £(a) with ^(/i) £ V. For 
that, we need the notion of neighboring minima as described in [Buc87aj . Two 
minima fj,, fj,' £ £(a) are said to be neighbors if / £ B(a,fx,fj.') \ {0} implies |/|- = 
maxH^, |//L} for some i. This relation defines a graph structure on £(a) and 
£(a)/0 K , and Buchmann showed that this graph is connected [Buc87a . Moreover, 
Buchmann showed that if a is a reduced ideal, one can compute the set of all 
neighbors of 1 £ £(a) in 0(A K ) bit operations; in fact, the number of neighbors is 
inO((logA K )"). 

Using this, one can compute the set of all minima of a in V in 0(vo\(V)A K ) bit 
operations. Moreover, one can test whether \iO* K = h'O k by computing j^a and ^p-a 
and comparing these. In fact, if one works with (^a, ^(aO) instead of /j, directly, one 
can do this easily by comparing the ideals in the representations. Another reason to 
use this representation of £ (a) / [Ik is that this representation is small: Thiel showed 
that one can represent a reduced ideal with at most ([K : Q] 2 + 1) log 2 %/A/f bits 
|Thi95| Corollary 3.7]. Hence, the storage required to store all minima /i £ £(a) 
with $(» £ V is 0(vol(V)A K ) bits. 

We can use this to employ a baby-step giant-step strategy similar to the one 
in |Buc87cj to search for elements in V H Ak, where V — J27=i [®> Select 
integers a\, . . . ,a n > and set 

fl:=-5^«i[0,i] + S and G := i £ h £ N, < h < a* \, 

i=l ^i=l J 

where 

S:={veR n I |H| < i^logAx}. 
The sets B and G are depicted in Figure l2al 

Let £ B ■= {(^a, | n £ £(a), *(^) £ B}; this set is called the baby 

stock. For every v £ G, one can find at least one \i £ £(a) with ^(fi) £ v + S by 
Proposition |3] (b) ; choose an arbitrary such fi as [i v and set £q := {(^7- a, ^(fx v )) \ 
v £ G}. Finding /i v from v is called a giant step. Using the strategy in Section 11 of 
}Buc87cj . {^-Ok , ^{p-v)) can be computed in 0(log ||w|| • A^) bit operations. The 
elements of £3 and £q are depicted in Figure l2bl 

Proposition 4. For every A £ V n Ak, there exists an ideal a £ Red(Oj<-) such 
that (a, v) £ £b, (a, w) £ £g for some v,w £ M. n such that X = w — v. 

Conversely, given an ideal a such that (a,v) £ £b, (o-,w) £ £g for some v,w £ 
R n , then w - v £ A K with w - v £ V + 2S. 
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Figure 2. Visualization of the baby-step giant-step strategy 

Proof. First, note that j^a = jp-a if, and only if, M -1 ^' G O k ; therefore, -a = jp-a 
if, and only if, *(//) - G $(0£-) = A*. 

Now if A G V n Aj<-, we can write A = X)"=i with Ai G [0, 1]. Write Ai = 
Ml + £ with h G N, Mi G [0, J-]. Set u; := £™ = i £«i5 then G £ G 

and w := ^(^l w ) — w G S. Now i> := — Mi -11 ! + w G -B; we have to show that 
(^■ft, v) <= £ B , as - u = w + w- w = ^Z" =1 fJ-Uj + w + £™ =1 MiU, - w = A. 

For that, let e G with = A. Now *(e) = A = ^(fi w ) - v, whence 

v = ^O^e" 1 ). But j-a = - ^ a, whence (j-a,v) = ( - a, ^(^e -1 )) G 
£ B . ' " ' □ □ 

Hence, to hnd all elements in VnAir, one can enumerate and store £b, enumerate 
all elements v G G, compute a corresponding and see if (—ft, u) G £b for some 
v G M™. If that is the case, one obtains an element of Ak H (V" + 5), and the 
proposition shows that every element of Ak n V can be obtained in this way. As 
in |Buc87cj . this yields the following. 

Corollary 2. Let R = vol^). The strategy sketched above computes all elements 
in V H Ak in 0{fJtY\^_ 1 nJ + Jl"=i n i ' 1°8 max H^ilD^K") ^ operations and 

2 — 1,. ..,71 

requires 0(i? J}™ =1 r?,^ 1 • A^-) 6?is o/ storage. 

Note that the running time is minimized if fTCLi ~ V^R- 

Proof. The storage requirements follow from Proposition [3] (a) and |Thi95| Corol- 
lary 3.7]. Using the enumeration technique by Buchmann [Buc87a, Buc87cj, one can 
compute £b in 0(i?n™=i n i~ 1 ' ^k) bit operations since vol(B) = 0(i? • n"=i "i" 1 ' 
A K ). Finally, one can compute the elements in £q in 0(\£g\A k ■ log max \ \vi\\) bit 
operations. □ □ 

Finally, we discuss how to test whether v G Ak for some v G ffi™. We use the 
giant step strategy mentioned above to compute some fx G £{Ok) with 4 r (/x) G 
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v + S. Then, one uses the above strategy to enumerate all minima (J 6 £(—Ok) 
with ^(^i') G S to check whether a minimum // with ^(/Z) + ^(m) — w an d 
^r(iOif) = Ok exists. 

Lemma 2. Let /i 6 £(Ok) and v G M n . Then there exists a minimum fj,' G 
£(±O k ) with + = w smc/i that jp-^0 K = O k if, and only if, v G A K . 

Proof. First, assume that #(//) + *(A*) = v and = O k . Then W / G 0* K and 

u = ^i(fifi') G Ax. Conversely, assume that v G A A , say u = ^(e) with e G 0^. 
But £ € £(£>k) and a' := f G £(f0jc), and + = *(e i = «• □ □ 

Note that one can compute \i v in 0(log ||u||-A^-) bit operations, and SC\^{^-Ok ) 
contains 0(A e K ) elements by Proposition [3] (a). Hence we obtain the following 
corollary. 

Corollary 3. Given v G R", one can test whether v G Ak in 0(log \\v\\ ■ A K ) bit 
operations and 0(A K ) bits of storage. □ 

We have seen how we can deploy a baby-step giant-step strategy to search for 
elements in V (1 Ak ■ Moreover, we saw how to test whether a given v G R™ is 
an element of Ak- These two methods are the required computational tools to 
translate the lattice maximization strategy of Corollary Q] into an algorithm. 

6. The Algorithm 

The algorithm is in a rather straightforward way based on Corollary Q] combined 
with a baby-step giant-step strategy as outlined in Section El It is formalized in 
Algorithm [TJ The correctness of this algorithm follows directly from Corollaries Q] 
and H 

During the course of the algorithm, we try to keep the basis vectors vi,...,v n 
as orthogonal as possible; in that case, we have |det(ui, . . . ,v n )\ ~ Yii=i \\ v i\\- Such 
a basis can be computed as in Algorithm 16.10 of vzGG03 and is called a reduced 
basis. 

We now analyze the asymptotic running time and memory consumption of Al- 
gorithm [T] Recall that [K : Q] = 0(1); note that the O-constants are assumed to 
be exponentially dependent on n (compare [Bu c87c| p. 5]). 

Theorem 3. Algorithm^ requires 

(9(((-idetA , ) 5 + (^detA , ) 1 ^ + B"(logS)- 1 )(A A -dctA') e ) 
bit operations and 0((-g det A'^A^ ) bits of storage. 

Proof. First, assume that A' = Ak, i.e. no element in Ak \ A' is found A' is not 
replaced by a larger sublattice of Ak- 

The loop in lines [2H3 requires 0( ^ B (det A') £ A K ) bit operations as well as 
0(A e K ) bits of storage by the Corollaries [T] and [3] Note that the primes required 
can be computed with the Sieve of Eratosthenes in time 0(B 1+e ) bit operations, so 
this part of the computation does not affect the overall asymptotic running time. 

The value R of Corollary [2] is in O(-gdetA') by Corollary[TJ Hence, by Corol- 
lary H the loops in lines EMU and EHlS] require 0((-|detA' • (5 det A')"' 1 "^ + 
(■|detA , ) 1 ~*)AJ r ) = 0(((^detA') 4 + (^det A') 1_4 )A^) bit operations and 
0((i det A') S A K ) bits of storage. 
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Algorithm 1 Find Ak C R n , given a sublattice A' of full rank. 

Input: A basis (vi, . . . , v n ) of A' C Aj^, a parameter B > 1, a parameter 8 G (0, 1). 
Output: A basis of Ak ■ 

1: Reduce the basis (v%, . . . , v n ), i.e. make it mostly orthogonal. 

2: for all primes p with 2 < p < B do 

3: for all (ai, . . . , a„_i) e {0, . . . ,p - do 

4: Set v = |(aiui H h a„_i«„_i + v n ). 

5: if v G Ak then 

6: Compute a reduced basis (ui, . . . , v n ) of (wi, . . . ,v n , v) z . 

7: Replace (yi, . . . ,v n ) by (vi,-..,v n ) and restart the loop in line [3] 

8: Determine a\, . . ., a„ € N>o such that Il"=i a « ~ ("5 det A') 1- " 5 . 

9: for all pi G £ (Ok) with G YJLi ^[--.°] + S do /* 5 as in Section[S] 

7 

10: Store f-Ojc, *(it)) in the set £ B - 

11: if some , w) G £b with w ^ (u l7 . . . , u n ) z is found then 
12: Compute a reduced basis («!,..., v n ) of (ui, . . . , v n ,v) z . 
13: Replace («i , . . . , v n ) by (ui, . . . , v n ) and go back to line [5] 
14: for all w G {E™ =1 fj-Uj | ^ e N, < a* < h] do 
15: Compute some (-0 Kl *(/**)) with G £(O k ) and £iu + S. 
16: if (j^Ok, v) is found in £b for some v G R™ with ^(ij,) — v g" (vi, . . . , v n ) z 
then 

17: Compute a reduced basis (£>i, . . . , v n ) of (v\, . . . , v n , ^(/i) — v) z . 
18: Replace («x, • • • ,v n ) by (ui, . . . ,v n ) and go back to line [51 
19: return (vi,...,v n ). 



Now, every time one finds an element in A^ \ A', the index [A' : Ak) and det A' 
are divided by at least two. Hence, A' is replaced at most log 2 [A' : A^] times. Now 
[A' : Ak] — 0(det A'); therefore, the above bounds for the number of bit operations 
needs to be multiplied by log 2 det A' = 0((det A') e ). 

Note that we can ignore the running time for the orthogonalization process. By 
Theorem 16.11 in |vzGG03 ], the running time of the basis reduction algorithm 
is bounded by 0(n 4 log A) arithmetic operations on integers of length 0(n\og A), 
where A = max{||vi||, . . . , ||w n ||}. Since n — 0(1) in our notation, the running time 
is bounded by 0((det A') e ) bit operations. □ □ 

We now optimize the running time for two situations. For our optimizations, we 
simplify the upper bound from Theorem [3] by omitting the (logi?) -1 factor; then 
the running time is bounded by 

0(((idetA') 5 + (idet A') 1 " 5 + B n )(A K det A') e ) 

bit operations. Moreover, we ignore the (Ak det A') c part, i.e., we assume that all 
three operations (existence testing, baby stock computation, giant steps) are equally 
fast. Hence, we need to minimize the term (-^ det A') s + (-g det A') 1-5 + B n . 

Note that these two simplifications are justified. If we minimize the original for- 
mula, the difference to our minimal running time can be bounded by 0((Ak det A') e ), 
i.e. can be ignored since we have the factor 0((Ak det A') e ) anyway. 

First, we optimize without any restrictions on the amount of available memory. 
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Corollary 4. If B and d can be chosen freely, optimal performance of Algorithm^ 
is obtained for 6 = | and B = (det A') 2n + 1 n~ 2 ™+ 1 . In that case, one needs 
0((det A')^tt +c A| s .) bit operations and 0((det A') 2 ^ A e K ) bits of storage. 

Proof. For fixed B, the expression (-g det A') s + (-^ det A') 1- " 5 + B n is minimal for 
S = i; in that case, it attains the value 2i?~ 1 / 2 v / dct A' + B n . 

Differentiating this by B, we obtain — \J det A'£?~ 3 / 2 + nB n ~ 1 . This is zero if, and 
only if, B = (det A') 2^+1 n" 2 ^ . In that case, it attains the value 2(det A') 2^71^+1 + 
(det A') 2 "+! n 2n + 1 . Plugging these choices for S and B in gives the result. □ □ 

Next, we investigate the situation in which the available memory is insufficient 
to store the optimal number of baby steps. 

Corollary 5. Assume that storage is limited to T baby steps, and that one has 
less memory than required for the optimal running time of Algorithm [JJ as in 
Corollary [7J Under this assumption, optimal performance of Algorithm [JJ is ob- 
tained for 5 — i on - t+ " jog^dct A' an< ^ ^ ~ (det A'/T) "+1 . In that case, one needs 
0((T+ (detA7T)*r +e )A^) = 0((det A'/T)*r +e A^) bit operations. 

Proof. In this case, the number of operations required for the "baby steps" in the 
loop in lines I9HT31 of the algorithm is 0(TA e K ). As optimal performance as in 
Corollary 0] can not be obtained, one needs to balance the number of operations 
for the loop in lines [2H7] and the one in lines [MHTSl i.e. one needs to choose 6 and 
B such that (i det A')" 5 w T and (i det A') 1-5 B n (logB)- 1 . For simplicity, we 
ignore the factor of lo ^ B as in Corollary H] and replace by "=" . 

The first equality gives B = J 1-1 / 5 det A', whence the second translates to 
T 1 ^ =T~"/' 5 (detA') n . But this gives (T 1+n )* = T(det A') n , i.e. 5- ( 1+ ") lo 6 T 



log T+n log dot A' 

and, hence, B = (det A'/T) »+* . Plugging this in, we obtain the given bound. □ 

□ 



7. Conclusions 

We have seen that our algorithm computes A^ in 

0((det A')^ +e A e K ) = 0((det A') 1/2 ~^ +e A^) 

bit operations, using 0((det A') 2 ™+i A^-) bits of storage. In particular, our algo- 
rithm generalizes the algorithm in dHJW07. to number fields of arbitrary unit 
rank, with the same complexity as [dHJW07 being obtained in our algorithm for 
unit rank 1. In the case that memory is too limited for the optimal method, we de- 
termined for the value of B for which optimal performance is obtained when using 
a restricted amount of memory. 

If det A' = 0(A}/ 2+e ), for example when A' is computed using Buchmann's 
index-calculus algorithm and is correct assuming the GRH, we obtain a complexity 
of 0(A^ 8 ™+ 4+e ) D jt operations. Thus, computing A' with Buchmann's algorithm 
followed by our's to verify that A' = Ak yields an algorithm that computes Ak un- 
conditionally with expected complexity 0(aJ- s ™+ 4+ ) bit operations. Only the 
complexity is dependent on the GRH, for both the running time and correctness 
(required to bound the size of det A') of Buchmann's algorithm. This is always 



RIGOROUS COMPUTATION OF FUNDAMENTAL UNITS IN ALGEBRAIC NUMBER FIELDS3 



asymptotically better than Buchmann's baby-step giant-step method for comput- 
ing Ak, whose running time is 0(A^ 4+e ) bit operations. For unit rank one, i.e. 
for n — 1, we obtain 0(A^/ 6+e ) bit operations; this is the same complexity as in 
|dHJW07] , For unit rank two, we obtain 0(A^ 5+£ ) bit operations; this is faster 
than any other known algorithm for computing the units of a number field of unit 
rank two whose correctness of the output does not depend on the GRH. 

Even though the baby stock computation, giant step computation and existence 
testing of lattice elements roughly need 0(A e K ) bit operations, with some factor 
polynomial in the logarithms of the dimensions of the involved objects, the running 
times of these three operations vary a lot in practice. In particular, computing all 
neighbors of a minimum is very slow compared to reducing an ideal, which is the 
main operation when computing giant steps. Therefore, in practice, it makes sense 
to first sample the running times of these three operations, and to find optimal 
values of S and B that take this into account in a manner similar to the algorithm 
in |dH JW07] . Moreover, it is also possible re- adjust S and B after an element 
in A ^ \ A' is found, as this changes det A'. One can also optimize the running time 
by reusing the already computed part of £ b when updating A' in line 1131 

Another possible practical improvement is to parallelize parts of the algorithm. 
In particular, the loops in lines EH3 and EH3 can easily be parallelized. The loops in 
lines l9HT3l and [T4HT81 can be parallelized in a similar manner to all baby-step giant- 
step type algorithms. As in [dHJW07] . it is possible to re-optimize the running 
time to find optimal values of 5 and B that take into account parallelization and 
the number of processors used. 

Note that these optimizations do not affect the asymptotic complexity of our 
algorithm. However, as in the case of real quadratic fields |dHJW07] . we expect 
that they will have a significant impact on its practical performance. 

So far, we do not have an implementation of our algorithm. The main problem 
is that the methods in Section [5l or more precisely computing all neighbors of 
1 in a reduced ideal, are not implemented in any number theory library to our 
knowledge. All libraries and computer algebra systems which provide methods 
for computing units of number fields use Buchmann's subexponential algorithm 
|Buc90j . An implementation is not yet available, but is currently work in progress. 
It will be interesting to see how our algorithm performs in practice. 
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